private void Init()
{
var dbPassword = _context.Stub ? "RANDOM_DATABASE_PASSWORD" : Helpers.SecureRandomString(32);
var dbConnectionString = new SqlConnectionStringBuilder
{
DataSource = "tcp:mssql,1433",
InitialCatalog = "vault",
UserID = "sa",
Password = dbPassword,
MultipleActiveResultSets = false,
Encrypt = true,
ConnectTimeout = 30,
TrustServerCertificate = true,
PersistSecurityInfo = false
}.ConnectionString;
_globalOverrideValues = new Dictionary <string, string>
{
["globalSettings__baseServiceUri__vault"] = _context.Config.Url,
["globalSettings__baseServiceUri__api"] = $"{_context.Config.Url}/api",
["globalSettings__baseServiceUri__identity"] = $"{_context.Config.Url}/identity",
["globalSettings__baseServiceUri__admin"] = $"{_context.Config.Url}/admin",
["globalSettings__baseServiceUri__notifications"] = $"{_context.Config.Url}/notifications",
["globalSettings__sqlServer__connectionString"] = $"\"{dbConnectionString}\"",
["globalSettings__identityServer__certificatePassword"] = _context.Install?.IdentityCertPassword,
["globalSettings__attachment__baseDirectory"] = $"{_context.OutputDir}/core/attachments",
["globalSettings__attachment__baseUrl"] = $"{_context.Config.Url}/attachments",
["globalSettings__dataProtection__directory"] = $"{_context.OutputDir}/core/aspnet-dataprotection",
["globalSettings__logDirectory"] = $"{_context.OutputDir}/logs",
["globalSettings__licenseDirectory"] = $"{_context.OutputDir}/core/licenses",
["globalSettings__internalIdentityKey"] = _context.Stub ? "RANDOM_IDENTITY_KEY" :
Helpers.SecureRandomString(64, alpha: true, numeric: true),
["globalSettings__duo__aKey"] = _context.Stub ? "RANDOM_DUO_AKEY" :
Helpers.SecureRandomString(64, alpha: true, numeric: true),
["globalSettings__installation__id"] = _context.Install?.InstallationId.ToString(),
["globalSettings__installation__key"] = _context.Install?.InstallationKey,
["globalSettings__yubico__clientId"] = "REPLACE",
["globalSettings__yubico__key"] = "REPLACE",
["globalSettings__mail__replyToEmail"] = $"no-reply@{_context.Config.Domain}",
["globalSettings__mail__smtp__host"] = "REPLACE",
["globalSettings__mail__smtp__port"] = "587",
["globalSettings__mail__smtp__ssl"] = "false",
["globalSettings__mail__smtp__username"] = "******",
["globalSettings__mail__smtp__password"] = "******",
["globalSettings__disableUserRegistration"] = "false",
["adminSettings__admins"] = string.Empty,
};
if (!_context.Config.PushNotifications)
{
_globalOverrideValues.Add("globalSettings__pushRelayBaseUri", "REPLACE");
}
_mssqlOverrideValues = new Dictionary <string, string>
{
["ACCEPT_EULA"] = "Y",
["MSSQL_PID"] = "Express",
["SA_PASSWORD"] = dbPassword,
};
}
private void Init()
{
var dbPassword = _context.Stub ? "RANDOM_DATABASE_PASSWORD" : Helpers.SecureRandomString(32);
var dbConnectionString = new SqlConnectionStringBuilder
{
DataSource = "tcp:mssql,1433",
InitialCatalog = _context.Install?.Database ?? "vault",
UserID = "sa",
Password = dbPassword,
MultipleActiveResultSets = false,
Encrypt = true,
ConnectTimeout = 30,
TrustServerCertificate = true,
PersistSecurityInfo = false
}.ConnectionString;
_globalOverrideValues = new Dictionary <string, string>
{
["globalSettings__baseServiceUri__vault"] = _context.Config.Url,
["globalSettings__sqlServer__connectionString"] = $"\"{dbConnectionString.Replace("\"", "\\\"")}\"",
["globalSettings__identityServer__certificatePassword"] = _context.Install?.IdentityCertPassword,
["globalSettings__internalIdentityKey"] = _context.Stub ? "RANDOM_IDENTITY_KEY" :
Helpers.SecureRandomString(64, alpha: true, numeric: true),
["globalSettings__oidcIdentityClientKey"] = _context.Stub ? "RANDOM_IDENTITY_KEY" :
Helpers.SecureRandomString(64, alpha: true, numeric: true),
["globalSettings__duo__aKey"] = _context.Stub ? "RANDOM_DUO_AKEY" :
Helpers.SecureRandomString(64, alpha: true, numeric: true),
["globalSettings__installation__id"] = _context.Install?.InstallationId.ToString(),
["globalSettings__installation__key"] = _context.Install?.InstallationKey,
["globalSettings__yubico__clientId"] = "REPLACE",
["globalSettings__yubico__key"] = "REPLACE",
["globalSettings__mail__replyToEmail"] = $"no-reply@{_context.Config.Domain}",
["globalSettings__mail__smtp__host"] = "REPLACE",
["globalSettings__mail__smtp__port"] = "587",
["globalSettings__mail__smtp__ssl"] = "false",
["globalSettings__mail__smtp__username"] = "******",
["globalSettings__mail__smtp__password"] = "******",
["globalSettings__disableUserRegistration"] = "false",
["globalSettings__hibpApiKey"] = "REPLACE",
["adminSettings__admins"] = string.Empty,
};
if (!_context.Config.PushNotifications)
{
_globalOverrideValues.Add("globalSettings__pushRelayBaseUri", "REPLACE");
}
_mssqlOverrideValues = new Dictionary <string, string>
{
["SA_PASSWORD"] = dbPassword,
};
}
private void Init()
{
var dbPassword = Helpers.SecureRandomString(32);
var dbConnectionString = Helpers.MakeSqlConnectionString("mssql", "vault", "sa", dbPassword);
_globalOverrideValues = new Dictionary <string, string>
{
["globalSettings__baseServiceUri__vault"] = _context.Config.Url,
["globalSettings__baseServiceUri__api"] = $"{_context.Config.Url}/api",
["globalSettings__baseServiceUri__identity"] = $"{_context.Config.Url}/identity",
["globalSettings__baseServiceUri__admin"] = $"{_context.Config.Url}/admin",
["globalSettings__baseServiceUri__notifications"] = $"{_context.Config.Url}/notifications",
["globalSettings__sqlServer__connectionString"] = $"\"{dbConnectionString}\"",
["globalSettings__identityServer__certificatePassword"] = _context.Install?.IdentityCertPassword,
["globalSettings__attachment__baseDirectory"] = $"{_context.OutputDir}/core/attachments",
["globalSettings__attachment__baseUrl"] = $"{_context.Config.Url}/attachments",
["globalSettings__dataProtection__directory"] = $"{_context.OutputDir}/core/aspnet-dataprotection",
["globalSettings__logDirectory"] = $"{_context.OutputDir}/logs",
["globalSettings__licenseDirectory"] = $"{_context.OutputDir}/core/licenses",
["globalSettings__internalIdentityKey"] = Helpers.SecureRandomString(64, alpha: true, numeric: true),
["globalSettings__duo__aKey"] = Helpers.SecureRandomString(64, alpha: true, numeric: true),
["globalSettings__installation__id"] = _context.Install?.InstallationId.ToString(),
["globalSettings__installation__key"] = _context.Install?.InstallationKey,
["globalSettings__yubico__clientId"] = "REPLACE",
["globalSettings__yubico__key"] = "REPLACE",
["globalSettings__mail__replyToEmail"] = $"no-reply@{_context.Config.Domain}",
["globalSettings__mail__smtp__host"] = "REPLACE",
["globalSettings__mail__smtp__username"] = "******",
["globalSettings__mail__smtp__password"] = "******",
["globalSettings__mail__smtp__ssl"] = "true",
["globalSettings__mail__smtp__port"] = "587",
["globalSettings__mail__smtp__useDefaultCredentials"] = "false",
["globalSettings__disableUserRegistration"] = "false",
["adminSettings__admins"] = string.Empty,
};
if (!_context.Config.PushNotifications)
{
_globalOverrideValues.Add("globalSettings__pushRelayBaseUri", "REPLACE");
}
_mssqlOverrideValues = new Dictionary <string, string>
{
["ACCEPT_EULA"] = "Y",
["MSSQL_PID"] = "Express",
["SA_PASSWORD"] = dbPassword,
};
}
private static void BuildEnvironmentFiles()
{
Console.WriteLine("Building docker environment override files.");
Directory.CreateDirectory("/bitwarden/env/");
var dbPass = Helpers.SecureRandomString(32);
var dbConnectionString = Helpers.MakeSqlConnectionString("mssql", "vault", "sa", dbPass);
using (var sw = File.CreateText("/bitwarden/env/global.override.env"))
{
sw.Write($@"globalSettings__baseServiceUri__vault={_url}
globalSettings__baseServiceUri__api={_url}/api
globalSettings__baseServiceUri__identity={_url}/identity
globalSettings__sqlServer__connectionString=""{dbConnectionString}""
globalSettings__identityServer__certificatePassword={_identityCertPassword}
globalSettings__attachment__baseDirectory={_outputDir}/core/attachments
globalSettings__attachment__baseUrl={_url}/attachments
globalSettings__dataProtection__directory={_outputDir}/core/aspnet-dataprotection
globalSettings__logDirectory={_outputDir}/core/logs
globalSettings__licenseDirectory={_outputDir}/core/licenses
globalSettings__duo__aKey={Helpers.SecureRandomString(64, alpha: true, numeric: true)}
globalSettings__installation__id={_installationId}
globalSettings__installation__key={_installationKey}
globalSettings__yubico__clientId=REPLACE
globalSettings__yubico__key=REPLACE
globalSettings__mail__replyToEmail=no-reply@{_domain}
globalSettings__mail__smtp__host=REPLACE
globalSettings__mail__smtp__username=REPLACE
globalSettings__mail__smtp__password=REPLACE
globalSettings__mail__smtp__ssl=true
globalSettings__mail__smtp__port=587
globalSettings__mail__smtp__useDefaultCredentials=false
globalSettings__disableUserRegistration=false");
if (!_push)
{
sw.Write(@"
globalSettings__pushRelayBaseUri=REPLACE");
}
}
using (var sw = File.CreateText("/bitwarden/env/mssql.override.env"))
{
sw.Write($@"ACCEPT_EULA=Y
MSSQL_PID=Express
SA_PASSWORD={dbPass}");
}
}
private void Init(bool forInstall)
{
var dbConnectionString = Helpers.MakeSqlConnectionString("mssql", "vault", "sa", DatabasePassword);
_globalValues = new Dictionary <string, string>
{
["globalSettings__baseServiceUri__vault"] = Url,
["globalSettings__baseServiceUri__api"] = $"{Url}/api",
["globalSettings__baseServiceUri__identity"] = $"{Url}/identity",
["globalSettings__sqlServer__connectionString"] = $"\"{ dbConnectionString }\"",
["globalSettings__identityServer__certificatePassword"] = IdentityCertPassword,
["globalSettings__attachment__baseDirectory"] = $"{OutputDirectory}/core/attachments",
["globalSettings__attachment__baseUrl"] = $"{Url}/attachments",
["globalSettings__dataProtection__directory"] = $"{OutputDirectory}/core/aspnet-dataprotection",
["globalSettings__logDirectory"] = $"{OutputDirectory}/core/logs",
["globalSettings__licenseDirectory"] = $"{OutputDirectory}/core/licenses",
["globalSettings__duo__aKey"] = $"{Helpers.SecureRandomString(64, alpha: true, numeric: true)}",
["globalSettings__installation__id"] = InstallationId?.ToString(),
["globalSettings__installation__key"] = InstallationKey,
["globalSettings__yubico__clientId"] = "REPLACE",
["globalSettings__yubico__key"] = "REPLACE",
["globalSettings__mail__replyToEmail"] = $"no-reply@{Domain}",
["globalSettings__mail__smtp__host"] = "REPLACE",
["globalSettings__mail__smtp__username"] = "******",
["globalSettings__mail__smtp__password"] = "******",
["globalSettings__mail__smtp__ssl"] = "true",
["globalSettings__mail__smtp__port"] = "587",
["globalSettings__mail__smtp__useDefaultCredentials"] = "false",
["globalSettings__disableUserRegistration"] = "false",
};
if (forInstall && !Push)
{
_globalValues.Add("globalSettings__pushRelayBaseUri", "REPLACE");
}
_mssqlValues = new Dictionary <string, string>
{
["ACCEPT_EULA"] = "Y",
["MSSQL_PID"] = "Express",
["SA_PASSWORD"] = DatabasePassword,
};
}
private static void Install()
{
_outputDir = _parameters.ContainsKey("out") ?
_parameters["out"].ToLowerInvariant() : _outputDir;
_domain = _parameters.ContainsKey("domain") ?
_parameters["domain"].ToLowerInvariant() : "localhost";
_letsEncrypt = _parameters.ContainsKey("letsencrypt") ?
_parameters["letsencrypt"].ToLowerInvariant() == "y" : false;
if (!ValidateInstallation())
{
return;
}
_ssl = _letsEncrypt;
if (!_letsEncrypt)
{
Console.Write("(!) Do you have a SSL certificate to use? (y/n): ");
_ssl = Console.ReadLine().ToLowerInvariant() == "y";
if (_ssl)
{
Console.WriteLine("Make sure 'certificate.crt' and 'private.key' are provided in the " +
"appropriate directory (see setup instructions).");
}
}
_identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
MakeCerts();
_url = _ssl ? $"https://{_domain}" : $"http://{_domain}";
BuildNginxConfig();
Console.Write("(!) Do you want to use push notifications? (y/n): ");
_push = Console.ReadLine().ToLowerInvariant() == "y";
BuildEnvironmentFiles();
BuildAppSettingsFiles();
BuildAppId();
}
public void BuildForInstall()
{
if (_context.Stub)
{
_context.Config.Ssl = true;
_context.Install.Trusted = true;
_context.Install.SelfSignedCert = false;
_context.Install.DiffieHellman = false;
_context.Install.IdentityCertPassword = "******";
return;
}
_context.Config.Ssl = _context.Config.SslManagedLetsEncrypt;
if (!_context.Config.Ssl)
{
var skipSSL = _context.Parameters.ContainsKey("skip-ssl") && (_context.Parameters["skip-ssl"] == "true" || _context.Parameters["skip-ssl"] == "1");
if (!skipSSL)
{
_context.Config.Ssl = Helpers.ReadQuestion("Do you have a SSL certificate to use?");
if (_context.Config.Ssl)
{
Directory.CreateDirectory($"/bitwarden/ssl/{_context.Install.Domain}/");
var message = "Make sure 'certificate.crt' and 'private.key' are provided in the \n" +
"appropriate directory before running 'start' (see docs for info).";
Helpers.ShowBanner(_context, "NOTE", message);
}
else if (Helpers.ReadQuestion("Do you want to generate a self-signed SSL certificate?"))
{
Directory.CreateDirectory($"/bitwarden/ssl/self/{_context.Install.Domain}/");
Helpers.WriteLine(_context, "Generating self signed SSL certificate.");
_context.Config.Ssl = true;
_context.Install.Trusted = false;
_context.Install.SelfSignedCert = true;
Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -days 36500 " +
$"-keyout /bitwarden/ssl/self/{_context.Install.Domain}/private.key " +
$"-out /bitwarden/ssl/self/{_context.Install.Domain}/certificate.crt " +
$"-reqexts SAN -extensions SAN " +
$"-config <(cat /usr/lib/ssl/openssl.cnf <(printf '[SAN]\nsubjectAltName=DNS:{_context.Install.Domain}\nbasicConstraints=CA:true')) " +
$"-subj \"/C=US/ST=California/L=Santa Barbara/O=Bitwarden Inc./OU=Bitwarden/CN={_context.Install.Domain}\"");
}
}
}
if (_context.Config.SslManagedLetsEncrypt)
{
_context.Install.Trusted = true;
_context.Install.DiffieHellman = true;
Directory.CreateDirectory($"/bitwarden/letsencrypt/live/{_context.Install.Domain}/");
Helpers.Exec($"openssl dhparam -out " +
$"/bitwarden/letsencrypt/live/{_context.Install.Domain}/dhparam.pem 2048");
}
else if (_context.Config.Ssl && !_context.Install.SelfSignedCert)
{
_context.Install.Trusted = Helpers.ReadQuestion("Is this a trusted SSL certificate " +
"(requires ca.crt, see docs)?");
}
Helpers.WriteLine(_context, "Generating key for IdentityServer.");
_context.Install.IdentityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
Directory.CreateDirectory("/bitwarden/identity/");
Helpers.Exec("openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout identity.key " +
"-out identity.crt -subj \"/CN=Bitwarden IdentityServer\" -days 36500");
Helpers.Exec("openssl pkcs12 -export -out /bitwarden/identity/identity.pfx -inkey identity.key " +
$"-in identity.crt -passout pass:{_context.Install.IdentityCertPassword}");
Helpers.WriteLine(_context);
if (!_context.Config.Ssl)
{
var message = "You are not using a SSL certificate. Bitwarden requires HTTPS to operate. \n" +
"You must front your installation with a HTTPS proxy or the web vault (and \n" +
"other Bitwarden apps) will not work properly.";
Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow);
}
else if (_context.Config.Ssl && !_context.Install.Trusted)
{
var message = "You are using an untrusted SSL certificate. This certificate will not be \n" +
"trusted by Bitwarden client applications. You must add this certificate to \n" +
"the trusted store on each device or else you will receive errors when trying \n" +
"to connect to your installation.";
Helpers.ShowBanner(_context, "WARNING", message, ConsoleColor.Yellow);
}
}
private static void Install()
{
var outputDir = _parameters.ContainsKey("out") ?
_parameters["out"].ToLowerInvariant() : "/etc/bitwarden";
var domain = _parameters.ContainsKey("domain") ?
_parameters["domain"].ToLowerInvariant() : "localhost";
var letsEncrypt = _parameters.ContainsKey("letsencrypt") ?
_parameters["letsencrypt"].ToLowerInvariant() == "y" : false;
if (!ValidateInstallation())
{
return;
}
var ssl = letsEncrypt;
if (!letsEncrypt)
{
Console.Write("(!) Do you have a SSL certificate to use? (y/n): ");
ssl = Console.ReadLine().ToLowerInvariant() == "y";
if (ssl)
{
Console.WriteLine("Make sure 'certificate.crt' and 'private.key' are provided in the " +
"appropriate directory (see setup instructions).");
}
}
var identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
var certBuilder = new CertBuilder(domain, identityCertPassword, letsEncrypt, ssl);
var selfSignedSsl = certBuilder.BuildForInstall();
ssl = certBuilder.Ssl; // Ssl prop can get flipped during the build
var url = ssl ? $"https://{domain}" : $"http://{domain}";
var nginxBuilder = new NginxConfigBuilder(domain, ssl, selfSignedSsl, letsEncrypt);
nginxBuilder.BuildForInstaller();
Console.Write("(!) Do you want to use push notifications? (y/n): ");
var push = Console.ReadLine().ToLowerInvariant() == "y";
var environmentFileBuilder = new EnvironmentFileBuilder
{
DatabasePassword = Helpers.SecureRandomString(32),
Domain = domain,
IdentityCertPassword = identityCertPassword,
InstallationId = _installationId,
InstallationKey = _installationKey,
OutputDirectory = outputDir,
Push = push,
Url = url
};
environmentFileBuilder.Build();
var appSettingsBuilder = new AppSettingsBuilder(url, domain);
appSettingsBuilder.Build();
var appIdBuilder = new AppIdBuilder(url);
appIdBuilder.Build();
}
private static void Install()
{
var outputDir = _parameters.ContainsKey("out") ?
_parameters["out"].ToLowerInvariant() : "/etc/bitwarden";
var domain = _parameters.ContainsKey("domain") ?
_parameters["domain"].ToLowerInvariant() : "localhost";
var letsEncrypt = _parameters.ContainsKey("letsencrypt") ?
_parameters["letsencrypt"].ToLowerInvariant() == "y" : false;
if (!ValidateInstallation())
{
return;
}
var ssl = letsEncrypt;
if (!letsEncrypt)
{
Console.Write("(!) Do you have a SSL certificate to use? (y/n): ");
ssl = Console.ReadLine().ToLowerInvariant() == "y";
if (ssl)
{
Directory.CreateDirectory($"/bitwarden/ssl/{domain}/");
Console.WriteLine("Make sure 'certificate.crt' and 'private.key' are provided in the " +
"appropriate directory (see setup instructions).");
}
}
var identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
var certBuilder = new CertBuilder(domain, identityCertPassword, letsEncrypt, ssl);
var selfSignedSsl = certBuilder.BuildForInstall();
ssl = certBuilder.Ssl; // Ssl prop can get flipped during the build
var url = ssl ? $"https://{domain}" : $"http://{domain}";
Console.Write("(!) Do you want to use the default ports for HTTP (80) and HTTPS (443)? (y/n): ");
var defaultPorts = Console.ReadLine().ToLowerInvariant() == "y";
int httpPort = default(int), httpsPort = default(int);
if (!defaultPorts)
{
Console.Write("(!) HTTP port: ");
if (int.TryParse(Console.ReadLine().ToLowerInvariant().Trim(), out httpPort))
{
if (ssl)
{
Console.Write("(!) HTTPS port: ");
if (int.TryParse(Console.ReadLine().ToLowerInvariant().Trim(), out httpsPort))
{
if (httpsPort != 443)
{
url += (":" + httpsPort);
}
}
else
{
Console.WriteLine("Invalid HTTPS port.");
httpPort = httpsPort = default(int);
}
}
else if (httpPort != 80)
{
url += (":" + httpPort);
}
}
else
{
Console.WriteLine("Invalid HTTP port.");
}
}
Console.Write("(!) Is your installation behind a reverse proxy? (y/n): ");
var reverseProxy = Console.ReadLine().ToLowerInvariant() == "y";
if (reverseProxy)
{
Console.Write("(!) Do you use the default ports on your reverse proxy (80/443)? (y/n): ");
var proxyDefaultPorts = Console.ReadLine().ToLowerInvariant() == "y";
if (proxyDefaultPorts)
{
url = ssl ? $"https://{domain}" : $"http://{domain}";
}
else
{
int httpReversePort = default(int), httpsReversePort = default(int);
Console.Write("(!) Proxy HTTP port: ");
if (int.TryParse(Console.ReadLine().ToLowerInvariant().Trim(), out httpReversePort))
{
if (ssl)
{
Console.Write("(!) Proxy HTTPS port: ");
if (int.TryParse(Console.ReadLine().ToLowerInvariant().Trim(), out httpsReversePort))
{
if (httpsReversePort != 443)
{
url += (":" + httpsReversePort);
}
}
else
{
Console.WriteLine("Invalid proxy HTTPS port.");
httpReversePort = httpsReversePort = default(int);
}
}
else if (httpReversePort != 80)
{
url += (":" + httpReversePort);
}
}
else
{
Console.WriteLine("Invalid proxy HTTP port.");
}
}
}
Console.Write("(!) Do you want to use push notifications? (y/n): ");
var push = Console.ReadLine().ToLowerInvariant() == "y";
var nginxBuilder = new NginxConfigBuilder(domain, url, ssl, selfSignedSsl, letsEncrypt);
nginxBuilder.BuildForInstaller();
var environmentFileBuilder = new EnvironmentFileBuilder
{
DatabasePassword = Helpers.SecureRandomString(32),
Domain = domain,
IdentityCertPassword = identityCertPassword,
InstallationId = _installationId,
InstallationKey = _installationKey,
OutputDirectory = outputDir,
Push = push,
Url = url
};
environmentFileBuilder.BuildForInstaller();
var appSettingsBuilder = new AppSettingsBuilder();
appSettingsBuilder.Build();
var appIdBuilder = new AppIdBuilder(url);
appIdBuilder.Build();
var dockerComposeBuilder = new DockerComposeBuilder(_hostOs, _webVersion, _coreVersion);
dockerComposeBuilder.BuildForInstaller(httpPort, httpsPort);
}
private static void Install()
{
var outputDir = _parameters.ContainsKey("out") ?
_parameters["out"].ToLowerInvariant() : "/etc/bitwarden";
var domain = _parameters.ContainsKey("domain") ?
_parameters["domain"].ToLowerInvariant() : "localhost";
var letsEncrypt = _parameters.ContainsKey("letsencrypt") ?
_parameters["letsencrypt"].ToLowerInvariant() == "y" : false;
if (!ValidateInstallation())
{
return;
}
var ssl = letsEncrypt;
if (!letsEncrypt)
{
ssl = Helpers.ReadQuestion("Do you have a SSL certificate to use?");
if (ssl)
{
Directory.CreateDirectory($"/bitwarden/ssl/{domain}/");
var message = "Make sure 'certificate.crt' and 'private.key' are provided in the \n" +
"appropriate directory before running 'start' (see docs for info).";
Helpers.ShowBanner("NOTE", message);
}
}
var identityCertPassword = Helpers.SecureRandomString(32, alpha: true, numeric: true);
var certBuilder = new CertBuilder(domain, identityCertPassword, letsEncrypt, ssl);
var selfSignedSsl = certBuilder.BuildForInstall();
ssl = certBuilder.Ssl; // Ssl prop can get flipped during the build
var sslTrusted = letsEncrypt;
var sslDiffieHellman = letsEncrypt;
if (ssl && !selfSignedSsl && !letsEncrypt)
{
sslDiffieHellman = Helpers.ReadQuestion("Use Diffie Hellman ephemeral parameters for SSL " +
"(requires dhparam.pem, see docs)?");
sslTrusted = Helpers.ReadQuestion("Is this a trusted SSL certificate (requires ca.crt, see docs)?");
}
if (!ssl)
{
var message = "You are not using a SSL certificate. Bitwarden requires HTTPS to operate. \n" +
"You must front your installation with a HTTPS proxy. The web vault (and \n" +
"other Bitwarden apps) will not work properly without HTTPS.";
Helpers.ShowBanner("WARNING", message, ConsoleColor.Yellow);
}
else if (ssl && !sslTrusted)
{
var message = "You are using an untrusted SSL certificate. This certificate will not be \n" +
"trusted by Bitwarden client applications. You must add this certificate to \n" +
"the trusted store on each device or else you will receive errors when trying \n" +
"to connect to your installation.";
Helpers.ShowBanner("WARNING", message, ConsoleColor.Yellow);
}
var url = $"https://{domain}";
int httpPort = default(int), httpsPort = default(int);
if (Helpers.ReadQuestion("Do you want to use the default ports for HTTP (80) and HTTPS (443)?"))
{
httpPort = 80;
if (ssl)
{
httpsPort = 443;
}
}
else if (ssl)
{
httpsPort = 443;
if (int.TryParse(Helpers.ReadInput("HTTPS port").Trim(), out httpsPort) && httpsPort != 443)
{
url += (":" + httpsPort);
}
else
{
Console.WriteLine("Using default port.");
}
}
else
{
httpPort = 80;
if (!int.TryParse(Helpers.ReadInput("HTTP port").Trim(), out httpPort) && httpPort != 80)
{
Console.WriteLine("Using default port.");
}
}
if (Helpers.ReadQuestion("Is your installation behind a reverse proxy?"))
{
if (Helpers.ReadQuestion("Do you use the default HTTPS port (443) on your reverse proxy?"))
{
url = $"https://{domain}";
}
else
{
if (int.TryParse(Helpers.ReadInput("Proxy HTTPS port").Trim(), out var httpsReversePort) &&
httpsReversePort != 443)
{
url += (":" + httpsReversePort);
}
else
{
Console.WriteLine("Using default port.");
url = $"https://{domain}";
}
}
}
else if (!ssl)
{
Console.WriteLine("ERROR: You must use a reverse proxy if not using SSL.");
return;
}
var push = Helpers.ReadQuestion("Do you want to use push notifications?");
var nginxBuilder = new NginxConfigBuilder(domain, url, ssl, selfSignedSsl, letsEncrypt,
sslTrusted, sslDiffieHellman);
nginxBuilder.BuildForInstaller();
var environmentFileBuilder = new EnvironmentFileBuilder
{
DatabasePassword = Helpers.SecureRandomString(32),
Domain = domain,
IdentityCertPassword = identityCertPassword,
InstallationId = _installationId,
InstallationKey = _installationKey,
OutputDirectory = outputDir,
Push = push,
Url = url
};
environmentFileBuilder.BuildForInstaller();
var appIdBuilder = new AppIdBuilder(url);
appIdBuilder.Build();
var dockerComposeBuilder = new DockerComposeBuilder(_hostOs, _webVersion, _coreVersion);
dockerComposeBuilder.BuildForInstaller(httpPort, httpsPort);
}
